Lightlesscan

Malware updated 4 months ago (2024-05-04T20:40:38.083Z)

Download STIX

Preview STIX

LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in malicious capabilities compared to its predecessor, with ESET's senior malware researcher, Peter Kálnai, noting that it mimics the functionalities of a broad range of native Windows commands. This allows for discreet execution within the RAT itself, making detection and analysis of attacker activities more challenging. The threat actor initially gained access to company systems through a spear-phishing attack masquerading as a recruiter for Facebook parent company Meta. Once inside the system, they deployed the LightlessCan malware. One of the most notable aspects of this RAT is its ability to mimic commands like ping, ipconfig, systeminfo, sc, net, and others with a hardcoded "The operation completed successfully" string as output. This obfuscates the reality of what the RAT is doing, adding another layer of complexity to its operations. ESET's analysts believe that LightlessCan is based on the source code of BlindingCan due to the significant preservation of the order of shared commands, despite some differences in their indexing. In developing LightlessCan, Lazarus may have reverse-engineered the closed-source system binaries to add additional functionality to the RAT. In a recent attack documented by ESET, LightlessCan demonstrated support for 68 commands, although only 43 appear to be implemented. The discovery of this malware came after Lazarus Group impersonated a Meta recruiter on LinkedIn to target a Spain-based aerospace firm with the LightlessCan malware.

Description last updated: 2024-05-04T16:53:28.826Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Rat

Eset

Payload

Windows

Malware

Downloader

Implant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
BLINDINGCAN	Unspecified	4	BlindingCan, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts. The threat actor gained initial access to systems via spear-phishing attacks masquerading as recruiters for high-profile companies and deployed new malware dubbed "Li

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Lazarus Group	Unspecified	3	The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and

Source Document References

Information about the Lightlesscan Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	LinkedIn Messaging used by APT to phish aerospace target and plant novel malware
CERT-EU	a year ago	Cyber Security Week in Review: October 6, 2023
CERT-EU	a year ago	North Korea's Lazarus Group upgrades its main malware
CERT-EU	a year ago	North Korean hackers target S.Korea’s shipbuilders
CERT-EU	a year ago	Trojanized VNC apps leveraged in defense-targeted Lazarus Group attacks
CERT-EU	a year ago	Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
CERT-EU	a year ago	Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
CERT-EU	a year ago	Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company
BankInfoSecurity	a year ago	Hackers Impersonate Meta Recruiter to Target Aerospace Firm
CERT-EU	a year ago	In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
ESET	a year ago	How Lazarus impersonated Meta to attack a target in Spain – Week in security with Tony Anscombe
DARKReading	a year ago	North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org
Securityaffairs	a year ago	North Korean Lazarus targeted a Spanish aerospace company
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU	a year ago	Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company